Which combination of steps should a security engineer take before investigating the issue?

Explanations:

Disabling termination protection is not advisable in this situation, as it could lead to accidental deletion of the instance while troubleshooting the high CPU usage issue. Termination protection should generally be enabled to prevent unintentional termination of critical resources.

Enabling termination protection ensures that the EC2 instance cannot be terminated accidentally during the investigation process. This is a precautionary measure to safeguard the instance while determining the cause of the high CPU usage.

Taking snapshots of the attached EBS data volumes is essential to preserve the current state of the data before any changes or potential data loss occurs. This allows for forensic analysis if the instance is compromised or if important data needs to be recovered.

Removing all snapshots is counterproductive as it can result in loss of data and forensic evidence. Snapshots serve as backups, and deleting them would eliminate the opportunity to investigate the previous state of the EBS volumes.

Capturing the EC2 instance metadata and tagging it as under quarantine helps in tracking and managing the instance during the investigation. This step ensures that the instance can be identified and isolated for further analysis without interference.

Immediately removing sensitive information from EC2 instance metadata is not a standard practice and can lead to loss of important context or data that might be necessary for investigation. Instead, the metadata should be preserved for analysis.